Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Hi! and welcome to the Malware Removal forums.My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you needyour computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.

The fixes are specific to your problem and should only be used for this issue on this machine.

It's often worth reading through these instructions and printing them for ease of reference.

If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.

If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

These rules are to make my voluntary work more comfortable:

Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).

Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.

Please reply to this thread. Do not start a new topic.

Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThisTo access the Uninstall Manager you would do the following:

Start HijackThis

Click on the Open The Misc Tool Section button

Click on the Open Uninstall Manager button.

Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic. Also post a fresh HijackThis log.

Note: Since originally posting, AVG has indicated that the program isolated and quarantined a TrojanHorse Rootkit -Agent DA in the wdmaud.sys file contained in the Windows|System32 directory. This Trojan Horse Rootkit-Agent DA was also isolated and quarantined in the System Volume Information restore file for Feb 4

Here is the AVG Log file beginning from the day prior to the detected infection:

Since originally posting, AVG has indicated that the program isolated and quarantined a TrojanHorse Rootkit -Agent DA in the wdmaud.sys file contained in the Windows|System32 directory. This Trojan Horse Rootkit-Agent DA was also isolated and quarantined in the System Volume Information restore file for Feb 4

That malware is known to cause these problems with redirections in Firefox, so that should be it. Other than that and some orphaned registry entries your logs look clean. Let's delete the orphaned entries and run a scanner to make sure the malware is gone.

Step 1: Disable SpySweeperPlease disable SpySweeper as it may interfere with the fix.

Open SpySweeper.

Click Shield Settings on the right, or Shields on the left, depending what screen you're on.

Click Internet Explorer and uncheck all items.

Click Windows System and uncheck all items.

Click Hosts File and uncheck all items.

Click Startup Programs and uncheck all items.

Close SpySweeper.

Once your log is clean you can re-enable those settings in SpySweeper.

Step 2: Disable TeatimerPlease disable Teatimer as it may interfere with the fix.First:

Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)

Choose Exit Spybot S&D Resident

Second:

Open Spybot S&D

Click Mode, check Advanced Mode

Go To Left Panel, Click Tools, then also in left panel, click Resident

If your firewall raises a question, say OK

Uncheck the box labeled Resident Tea-Timer and OK any prompts.

Use File, Exit to terminate Spybot

Once your log is clean you can re-enable those settings in TeaTimer.

Step 3: Disable Windows DefenderPlease disable Windows Defender Real Time Protection as it may interfere with the fix. To disable Windows Defender:

Open Windows Defender

Click Tools

Click General Settings

Scroll down to Real Time Protection Options

Uncheck Turn on Real Time Protection (recommended)

Click Save

Close Windows Defender

Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable Windows Defender Real Time Protection.

I do not appear to be having any problems with either Firefox or IE redirects. I am hopeful that you are able to declare me "free to go" again. Your volunteered efforts are most sincerely appreciated by those of us who use your service. Thank you again.

Firefox:Click Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:Click Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 2: Run Malwarebytes' Anti-MalwareAs you already have it, there is no need to download it.

Start MalwareBytes' Anti-Malware

Check for updates to make sure you have the latest version.

After updating, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Close the Notepad file.

The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 3: Update JavaOlder versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.First remove the older versions:

While my computer appears to be able to access all Firefox and IE sites ok, I have now got a problem with my Windows Messenger not working properly. May not be related but I can no longer access the Messenger Games. Continue to get stalled or get message that the games are not available. I tried updating to Windows Live Messenger 2009 which made it worse so I uninstalled Windows Live for now but that leaves me without access to my Messenger on which I rely to communicate with my contacts. Again, not sure whether this is malware related or not.

Thank you John. Have completed the latest Hijack this task. See most recent log below. ** The Carbonite is now backing up files again(Thank you!). I have reinstalled Windows Live Messenger but used Version 8.5 rather than Windows Live Messenger 2009

This is my normal post for when you are clear - which you now are - or seem to be.Please advise of any problems you still have. If you think you're clean please give one more reply so that I can archive this topic.

Now that you are clean, I got some tips & tricks for you to keep your computer clean and secure. The first few (like removing dangerous tools and Windows Update) have to be done, the others are optional (beginning with SpywareBlaster).

It may seem like your system will be too much protected with all these things installed, but a lot of programs aren't running always on the background so don't slow down your computer. Please take a look at the following things:

Uninstall tools - The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.

Go to Start

Click on Run

Type ComboFix /u (Note: This command is case sensitive.)

After doing that with ComboFix, do this with OTCleanIt to remove the tools not removed by ComboFix.

At the end the program will ask to let it reboot the computer. Let it do so.

You may delete any logs and other tools left on the desktop.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. You can download it here:SpywareBlaster

Install WinPatrol - As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You can download it from this website:WinPatrolThe developer is a well-known man in the MalWare Removal business. If you really like WinPatrol think about upgrading to the PLUS version. It will give you additional features and you will only have to pay once, for your whole malware-free life.

Install MVPS HOSTS - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.For information on how to download and install, please read this tutorial here:WinHelp2002Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Use an alternative Internet Browser - Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:Firefox << Most used, I use this one myself.Opera

Bookmark general cleanup link - It could be that your computer is becoming slower and slower. This is not always the cause of malware. Most of the times it's malware when you're computer is suddenly getting slow or doing strange. When the slowdown increases slowly, check (so now bookmark) this link for tips & tricks:What to do if your Computer's running slowly

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted!Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints called Malware Complaints. Please register there first! Then follow the instructions here:http://images.malwarecomplaints.info/We ... general=on

Hello John and thank you very much for your assistance. I have completed the most recent tasks (removing orphan files) and changed the IE security settings as suggested. I have also removed Combofix and used the OTCleanIT utility. I currently use professional (paid) versions of AVG Antispyware which is updated daily, ZoneAlarm Pro firewall and 3 different antispyware programs including the paid version of Spysweeper by Webroot, and the free versions of Superantispyware and Spybot Search and Destroy. Finally I have been using the custom Host file recommended by Kim Komando (webpage: http://www.mvps.org/winhelp2002/hosts.htm I am confused as to what programs you recommend I delete when I install those you recommend. I am concerned re having duplicating and conflicting antispyware programs. When I went to install SpywareBlaster from your recommended website I ended up somehow at a download for spyware doctor so I cancelled the download. I also use Firefox as my regular browser, not IE. I will review your Bookmark clean up link tomorrow. I also have automatic updates from Microsoft selected for critical updates. At this point in time I don't appear to have any further issues other than the Messenger LIve Games do not appear to be consistently working but I suspect that to be a different problem than malware.

I am confused as to what programs you recommend I delete when I install those you recommend. I am concerned re having duplicating and conflicting antispyware programs.

With this amount of Anti-Spyware programs installed it is no problem if you do not want the other programs that I suggested. It is fine like this.

When I went to install SpywareBlaster from your recommended website I ended up somehow at a download for spyware doctor so I cancelled the download.

Hmm, I just tried it and it worked. After clicking the link you must click the download button on the left and then the download button on the right. If it does not work, there is no big problem because you already have the custom hosts file which is sufficient.

At this point in time I don't appear to have any further issues other than the Messenger LIve Games do not appear to be consistently working but I suspect that to be a different problem than malware.

Thought removing the O16 HijackThis lines fixed it because you no longer talked about it. If you want me to give it a try troubleshooting it then that is fine for me. If so, please tell me if you get any errors and let me know where exactly the Windows Live games get stuck.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.